Request a Quote
Securing Your Site: Setting Security Headers when migrating to HubSpot CMS
Vikram Singh Vikram Singh
Posted on February 19, 2024

Securing Your Site: Setting Security Headers when migrating to HubSpot CMS

Discover the significance of implementing proper security headers in your domain settings and learn how to do it effectively in HubSpot.

Understanding the Role of HTTP Security Headers

HTTP security headers play a crucial role in protecting your website from various security threats. These headers are additional lines of code that are included in the HTTP response from the server to the browser. They provide instructions to the browser on how to handle and protect the content of your website.

By implementing proper HTTP security headers, you can enhance the security of your website and protect it against common attacks such as cross-site scripting (XSS), clickjacking, and data sniffing. These headers help in preventing unauthorized access, ensuring data integrity, and maintaining user privacy.

When migrating to HubSpot CMS, it is important to understand the role of HTTP security headers and how to configure them correctly to ensure the security of your site.

domain-security-settings

Implementing HTTP security headers can enhance the trustworthiness of your website. When visitors see that your site has proper security measures in place, they are more likely to trust your brand and feel confident interacting with your content.

Common Types of HTTP Security Headers

There are several common types of HTTP security headers that you should consider implementing in HubSpot. These include:

  • Content Security Policy (CSP): CSP helps in preventing the execution of malicious scripts by allowing the browser to only load content from trusted sources. A good to way to check your CSP by using the tool provided by Google at https://csp-evaluator.withgoogle.com/
    csp-evaluation
    A CSP will involve a typical code like this below which can include all your trusted sources and paste it in security settings:

    img-src *.mytrustedsourcesite.com data: *.hs-sites.com https://api-na1.hubapi.com *.ytimg.com 'self' *.linkedin.com https://static.hsappstatic.net https://*.google-analytics.com https://*.googletagmanager.com js.hscta.net *.hubspot.com *.hubspotusercontent-na1.net *.hubspotusercontent20.net *.hubspot.net cdn2.hubspot.net *.hsforms.net *.hsforms.com;

    connect-src 'self' https://cdn.linkedin.oribi.io *.doubleclick.net snap.licdn.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com *.hubapi.com js.hscta.net *.hubspot.com *.hs-banner.com *.hscollectedforms.net *.hsforms.com;

    frame-src 'self' *.hubspot.com *.hs-sites.com *.hubspot.net play.hubspotvideo.com  *.hsforms.net *.hsforms.com youtube.com www.youtube.com;

    style-src 'unsafe-inline' 'self' *.hubspot.com https://static.hsappstatic.net/  https://cdn.jsdelivr.net/ https://code.jquery.com/ https://cdnjs.cloudflare.com https://use.fontawesome.com/ *.hubspotusercontent20.net cdn2.hubspot.net  fonts.googleapis.com;

    font-src 'self' *.hubspot.com *.hubspotusercontent-na1.net fonts.gstatic.com cdn2.hubspot.net https://cdnjs.cloudflare.com  *.hubspotusercontent20.net;

    script-src 'self' 'strict-dynamic' https://cdn.jsdelivr.net/ https://code.jquery.com/ https://cdnjs.cloudflare.com https://use.fontawesome.com/ snap.licdn.com *.hsadspixel.net *.hs-analytics.net js.hscta.net *.hubspot.com static.hsappstatic.net *.usemessages.com *.hs-banner.com *.hubspotusercontent-na1.net *.hubspotusercontent20.net *.hubspot.net  *.hscollectedforms.net *.hsleadflows.net *.hsforms.net *.hsforms.com *.hs-scripts.com *.hubspotfeedback.com feedback.hubapi.com https://*.googletagmanager.com www.google-analytics.com 'nonce-in/IvwNA6jg0qWUA+NwHFw==';

    object-src 'none';

    base-uri 'none';

    upgrade-insecure-requests;


    csp-hubspot

  • X-XSS-Protection: This header enables the built-in cross-site scripting (XSS) protection of modern browsers.
  • X-Frame-Options: X-Frame-Options header prevents clickjacking attacks by specifying whether your website can be displayed within an iframe.
  • Strict-Transport-Security (HSTS): HSTS header forces the browser to only access your website over HTTPS, ensuring a secure connection.
  • X-Content-Type-Options: This header prevents the browser from MIME-sniffing the response and strictly adheres to the declared content type.

By implementing these headers, you can significantly enhance the security posture of your HubSpot CMS.

How to Configure HTTP Security Headers in HubSpot

Configuring HTTP security headers in HubSpot is a straightforward process. Here are the steps to follow:

  1. Log in to your HubSpot account and navigate to your website settings.
  2. Go to the 'Domains & URLs' section and select the domain you want to configure.
  3. Scroll down to the 'Security' section and click on 'Edit' next to 'HTTP Security Headers'.
  4. Enable the headers you want to implement by toggling the respective switches.
  5. Customize the headers according to your specific requirements. HubSpot provides options to set values for each header.
  6. Save your changes and publish your website to apply the updated security headers.

It is recommended to test your website thoroughly after configuring the security headers to ensure they are implemented correctly and do not cause any compatibility issues.

Best Practices for Maintaining Robust Security Headers

To maintain robust security headers in HubSpot, it is important to follow these best practices:

  • Regularly review and update your security headers to stay protected against emerging threats. Stay informed about any changes or updates to recommended security header configurations.
  • Test your website after any updates or changes to the security headers to ensure they are functioning as intended and not causing any unintended issues.
  • Stay up to date with the latest security practices and industry standards to ensure you are implementing the most effective security headers.
  • Monitor your website for any security vulnerabilities or suspicious activities. Implement additional security measures, such as web application firewalls, to further enhance your website's security.

By following these best practices, you can maintain a strong security posture and protect your HubSpot CMS from potential security breaches.

When we perform a HubSpot CMS Migration, we make sure to have correct security settings before your site goes live.
,

Leave a reply

Our Recent Blogs

How to optimize HubSpot CMS Pages for Performance
Vikram Singh
Vikram Singh
Posted on March 5, 2024

How to optimize HubSpot CMS Pages for Performance

Securing Your Site: Setting Security Headers when migrating to HubSpot CMS
Vikram Singh
Vikram Singh
Posted on February 19, 2024

Securing Your Site: Setting Security Headers when migrating to HubSpot CMS

Handling URL Redirects in a HubSpot CMS Migration
Deepti Mittal
Deepti Mittal
Posted on February 14, 2024

Handling URL Redirects in a HubSpot CMS Migration

Introducing IGNITE: A New Free Theme for HubSpot CMS
Vikram Singh
Vikram Singh
Posted on February 7, 2024

Introducing IGNITE: A New Free Theme for HubSpot CMS

Implementing Pagination in HubSpot CMS
Deepti Mittal
Deepti Mittal
Posted on September 6, 2023

Implementing Pagination in HubSpot CMS

HubSpot CRM for capturing leads at a physical event
Deepti Mittal
Deepti Mittal
Posted on August 21, 2023

HubSpot CRM for capturing leads at a physical event

How to create a pricing page for your website on HubSpot
Admin
Admin
Posted on August 7, 2023

How to create a pricing page for your website on HubSpot

10 best Landing Page Designs in HubSpot CMS in 2023
Deepti Mittal
Deepti Mittal
Posted on July 13, 2023

10 best Landing Page Designs in HubSpot CMS in 2023

5 Best HubSpot CRM Integrations in 2023
Vikram Singh
Vikram Singh
Posted on July 6, 2023

5 Best HubSpot CRM Integrations in 2023

Why CRM suite is important in your business
Deepti Mittal
Deepti Mittal
Posted on February 10, 2023

Why CRM suite is important in your business